Re: [Pdns-users] recursor: no reverse lookups
Frank, thank you for your input. I thought it could go in this direction (recursor is by definition non-auth), and – well, I think I don’t have to care about that. But I’ll read more of the theory of auth/non-auth and it’s impact. Sig Von: Pdns-users Im Auftrag von Frank Louwers via Pdns-users Gesendet: Montag, 19. November 2018 09:16 An: pdns-users@mailman.powerdns.com Betreff: Re: [Pdns-users] recursor: no reverse lookups Sig, First of all it’s best not to use nslookup. It can produce unpredictable and sometimes false results. Please use a tool like “dig” or “drill”. Is 192.168.94.66#53 the authoritative server for that 94.168.192.in-addr.arp domain? If so, then yes, the result is an authoritative answer, as the auth-server provided that answer. Your pdns-recursor in front of it, is a recursor, so the result is non-auth. Hope this helps… Frank Louwers On 19 Nov 2018, at 09:03, Sig Pam wrote: One more thing. Maybe you have a quick idea, I did not run through the docs for that. Asking my DNS for a reverse address gives an authoritative answer: [root@hallo ~]# nslookup > server sixtysix Default server: sixtysix Address: 192.168.94.66#53 > 192.168.94.123 Server: sixtysix Address: 192.168.94.66#53 123.94.168.192.in-addr.arpa name = fileserver.corp.domain.de. Asking pdns-recursor is a non-authoritative answer > set port=5300 > 192.168.94.123 Server: sixtysix Address: 192.168.94.66#5300 Non-authoritative answer: 123.94.168.192.in-addr.arpa name = fileserver.corp.domain.de. Authoritative answers can be found from: Any quick idea? Sig -Ursprüngliche Nachricht- Von: Sig Pam Gesendet: Montag, 19. November 2018 08:53 An: bert hubert ; Sig Pam Cc: pdns-users@mailman.powerdns.com Betreff: AW: [Pdns-users] recursor: no reverse lookups Bert, thank you very much. That seems to be the solution for my issue. I was aware of this switch and played with it sooner, without success. But this was in another test environment, potentially with more hidden problem. Great! Again, thank you! Sig -Ursprüngliche Nachricht- Von: bert hubert Gesendet: Sonntag, 18. November 2018 19:57 An: Sig Pam Cc: pdns-users@mailman.powerdns.com Betreff: Re: [Pdns-users] recursor: no reverse lookups On Sun, Nov 18, 2018 at 04:10:52PM +0100, bert hubert wrote: > On Sun, Nov 18, 2018 at 03:00:53PM +, Sig Pam wrote: > > [root@hallo ~]# nslookup - 192.168.94.66 > > > > > set port=53 > > > > > 192.168.94.66 Ok, I see it now, try adding: serve-rfc1918=off What you are seeing is that the powerdns recursor is answering your 192.168.in-addr.arpa queries itself. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] recursor: no reverse lookups
Sig, First of all it’s best not to use nslookup. It can produce unpredictable and sometimes false results. Please use a tool like “dig” or “drill”. Is 192.168.94.66#53 the authoritative server for that 94.168.192.in-addr.arp domain? If so, then yes, the result is an authoritative answer, as the auth-server provided that answer. Your pdns-recursor in front of it, is a recursor, so the result is non-auth. Hope this helps… Frank Louwers > On 19 Nov 2018, at 09:03, Sig Pam mailto:s...@itserv.de>> > wrote: > > One more thing. Maybe you have a quick idea, I did not run through the docs > for that. > > Asking my DNS for a reverse address gives an authoritative answer: > > [root@hallo ~]# nslookup > > server sixtysix > Default server: sixtysix > Address: 192.168.94.66#53 > > 192.168.94.123 > Server: sixtysix > Address: 192.168.94.66#53 > > 123.94.168.192.in-addr.arpa name = fileserver.corp.domain.de > <http://fileserver.corp.domain.de/>. > > Asking pdns-recursor is a non-authoritative answer > > > > set port=5300 > > 192.168.94.123 > Server: sixtysix > Address: 192.168.94.66#5300 > > Non-authoritative answer: > 123.94.168.192.in-addr.arpa name = fileserver.corp.domain.de > <http://fileserver.corp.domain.de/>. > > Authoritative answers can be found from: > > Any quick idea? > >Sig > > -Ursprüngliche Nachricht- > Von: Sig Pam > Gesendet: Montag, 19. November 2018 08:53 > An: bert hubert mailto:bert.hub...@powerdns.com>>; > Sig Pam mailto:s...@itserv.de>> > Cc: pdns-users@mailman.powerdns.com <mailto:pdns-users@mailman.powerdns.com> > Betreff: AW: [Pdns-users] recursor: no reverse lookups > > Bert, > > thank you very much. That seems to be the solution for my issue. I was aware > of this switch and played with it sooner, without success. But this was in > another test environment, potentially with more hidden problem. > > Great! Again, thank you! > > Sig > > -Ursprüngliche Nachricht- > Von: bert hubert mailto:bert.hub...@powerdns.com>> > Gesendet: Sonntag, 18. November 2018 19:57 > An: Sig Pam mailto:s...@itserv.de>> > Cc: pdns-users@mailman.powerdns.com <mailto:pdns-users@mailman.powerdns.com> > Betreff: Re: [Pdns-users] recursor: no reverse lookups > > On Sun, Nov 18, 2018 at 04:10:52PM +0100, bert hubert wrote: > > On Sun, Nov 18, 2018 at 03:00:53PM +, Sig Pam wrote: > > > [root@hallo ~]# nslookup - 192.168.94.66 > > > > > > > set port=53 > > > > > > > 192.168.94.66 > > Ok, I see it now, try adding: serve-rfc1918=off > What you are seeing is that the powerdns recursor is answering your > 192.168.in-addr.arpa queries itself. > > Bert > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> > https://mailman.powerdns.com/mailman/listinfo/pdns-users > <https://mailman.powerdns.com/mailman/listinfo/pdns-users> ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] recursor: no reverse lookups
One more thing. Maybe you have a quick idea, I did not run through the docs for that. Asking my DNS for a reverse address gives an authoritative answer: [root@hallo ~]# nslookup > server sixtysix Default server: sixtysix Address: 192.168.94.66#53 > 192.168.94.123 Server: sixtysix Address: 192.168.94.66#53 123.94.168.192.in-addr.arpa name = fileserver.corp.domain.de. Asking pdns-recursor is a non-authoritative answer > set port=5300 > 192.168.94.123 Server: sixtysix Address: 192.168.94.66#5300 Non-authoritative answer: 123.94.168.192.in-addr.arpa name = fileserver.corp.domain.de. Authoritative answers can be found from: Any quick idea? Sig -Ursprüngliche Nachricht- Von: Sig Pam Gesendet: Montag, 19. November 2018 08:53 An: bert hubert ; Sig Pam Cc: pdns-users@mailman.powerdns.com Betreff: AW: [Pdns-users] recursor: no reverse lookups Bert, thank you very much. That seems to be the solution for my issue. I was aware of this switch and played with it sooner, without success. But this was in another test environment, potentially with more hidden problem. Great! Again, thank you! Sig -Ursprüngliche Nachricht- Von: bert hubert mailto:bert.hub...@powerdns.com> > Gesendet: Sonntag, 18. November 2018 19:57 An: Sig Pam mailto:s...@itserv.de> > Cc: pdns-users@mailman.powerdns.com <mailto:pdns-users@mailman.powerdns.com> Betreff: Re: [Pdns-users] recursor: no reverse lookups On Sun, Nov 18, 2018 at 04:10:52PM +0100, bert hubert wrote: > On Sun, Nov 18, 2018 at 03:00:53PM +, Sig Pam wrote: > > [root@hallo ~]# nslookup - 192.168.94.66 > > > > > set port=53 > > > > > 192.168.94.66 Ok, I see it now, try adding: serve-rfc1918=off What you are seeing is that the powerdns recursor is answering your 192.168.in-addr.arpa queries itself. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] recursor: no reverse lookups
On Sun, Nov 18, 2018 at 04:10:52PM +0100, bert hubert wrote: > On Sun, Nov 18, 2018 at 03:00:53PM +, Sig Pam wrote: > > [root@hallo ~]# nslookup - 192.168.94.66 > > > > > set port=53 > > > > > 192.168.94.66 Ok, I see it now, try adding: serve-rfc1918=off What you are seeing is that the powerdns recursor is answering your 192.168.in-addr.arpa queries itself. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] recursor: no reverse lookups
On Sun, Nov 18, 2018 at 03:00:53PM +, Sig Pam wrote: > [root@hallo ~]# nslookup - 192.168.94.66 > > > set port=53 > > > 192.168.94.66 Hi Sig, Before delving deeper into this, can you try: dig -x 192.168.94.66 @yourips ? We never know what nslookup sends out, so it is hard to debug through that. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] recursor: no reverse lookups
Hi all! I have trouble with reverse lookup of IP addresses. Reverse lookups work when I directly request my Bind9, but not pdns-recursor forwarding the request to the same Bind9. I do this because I want to use the lua-script facility to filter incoming requests, allowing only the lookup of named zones and domains. I run pdns-recursor (4.0.4, Debian) on the same machine as my Bind9. Bind9 listens to port 53, pdns-recurser to 5300 (should be interchanged in the future). The Bind is able to resolve either local zones or looks up any IP-address on the web. Here is my config file for pdns-recursor: root@host:/etc/powerdns# grep -v '#' recursor.conf |grep -v '^$' config-dir=/etc/powerdns forward-zones-recurse=.=127.0.0.1:53 hint-file=/usr/share/dns/root.hints local-address=0.0.0.0 local-port=5300 quiet=yes security-poll-suffix= setgid=pdns setuid=pdns With this setup, I can forward lookup all IP addresses - my local zones as well as Internet addresses, both by directly asking Bind9 as well as pdns-recursor. However, the reverse lookup does only work when I directly talk to Bind, but not when asking pdns-recursor. This is the answer from Bind (port 53) (192.168.94.66 is the Bind/pdns-recursor test server) [root@hallo ~]# nslookup - 192.168.94.66 > set port=53 > 192.168.94.66 Server: 192.168.94.66 Address: 192.168.94.66#53 66.94.168.192.in-addr.arpa name = sixtysix.corp.mydomain.de. And this from pdns-recursor (port 5300) [root@hallo ~]# nslookup - 192.168.94.66 > set port=5300 > 192.168.94.66 Server: 192.168.94.66 Address: 192.168.94.66#5300 ** server can't find 66.94.168.192.in-addr.arpa.: NXDOMAIN I don’t understand what might be wrong with the lookup of IP addresses through pdns-recursor, as I (think I) forward all requests to my Bind with the forward-zones-recurse=. Can somebody please help me and tell me what’s wrong? Thank you very much! Sig ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
